| Author |
Message |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Oct 29, 2025 - 17:53: | |
A preview version of X-Ways Forensics 21.7 is now available. The latest download instructions including log-in credentials can be retrieved by querying one's license status, as always.
What's new in v21.7 Preview?
* The search hit filter now allows to more precisely define where in the context of a search hit an additional keyword is required, either to the left or to the right of the search hit or both. Also, an additional keyword can be required in the search hit itself. That can be useful if the data in the search hit is variable for example because it is based not on a fixed keywords, but on a regular expression (e.g. to match e-mail addresses in general), or because the user has shifted the offset of the search hit to the left or to the right to cover related data that needs to be exported etc.
* The play duration of certain video files that cannot be extracted into the Metadata column during the metadata extraction step can now be extracted when capturing sporadic still images.
* If you select multiple video files whose play durations are known in the Metadata column, the total play duration of all these videos combined is computed and shown below the directory browser. This enables you and others (e.g. lawyers) to better understand the amount of video data, for example to assess how complete the coverage of surveillance videos is or to judge the amount of illegal videos found, in a more meaningful way than measuring it in megabytes, gigabytes or terabytes, especially for a computer layman.
* Same fix level as v21.6 SR-1. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Nov 5, 2025 - 14:08: | |
Preview 2:
* Internal graphics display library thoroughly revised.
* Updated viewing support for WEBP pictures.
* Same fix level as v21.6 SR-2. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, Nov 20, 2025 - 8:55: | |
Preview 3:
* The option to assign labels to a parent file now has a tooltip that defines exactly what to expect: The next (closest) parent object that is not a directory will be targeted. This option skips parent directories and keeps looking until a file is found. If no file is found upwards in the hierarchy, no label will be set.
* A new related option was introduced, which targets the so-called ultimate file. That is the parent object highest in the hierarchy that is a file, i.e. the most aggregate file that indirectly contains the data. Parent directories (in file or e-mail archives) can be skipped over optionally. If not, then the last parent file encountered before a directory will be considered the ultimate file. If no file is found upwards in the hierarchy, the label will be set to the selected item itself, if it is a file.
* Another new option allows to simply assign label to all the parent object files of a selected file, in a sequence that may or may not be interrupted by directories. You could then decide later for example based on file type which of those you actually need (e.g. e-mails).
* Several minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Dec 2, 2025 - 16:51: | |
Preview 4:
* Does not waste time with certain unnecessary file system I/O or opening compressed files when including selected files in a hash set and the hash values can simply be taken from the volume snapshot.
* Omitting excluded child objects when printing is now optional.
* Revised processing of .evtx event log files. Fixed some parsing errors. More complete coverage of data types and output of the Name attribute
* Several minor improvements.
* Some of the fixes of v21.6 SR-3. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Dec 10, 2025 - 16:37: | |
Preview 5:
* Progress notifications can now optionally by output into subdirectories that are named after the machine on which the X-Ways Forensics session is running that produces these notifications.
* Surrogate ASCII patterns for unreadable sectors on storage devices with errors, redacted sectors in cleansed images etc. are now prepended with an UTF-8 signature so that the latest version of the viewer component will display such patterns when viewing or previewing files that consist of only such text (interspersed with binary zeroes), assuming that they are text files.
* Same fix level as v21.6 SR-3. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Dec 26, 2025 - 21:33: | |
Preview 6:
* Greatly accelerated loading (not usage) of very large Passwords.txt files.
* Updated support for PNG and TIFF pictures in the internal graphics display library.
* Support for WofCompressed files in NTFS with resident storage.
* Support for namespace extended attributes in Ext4 file systems.
* Several minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Jan 18, 2026 - 16:11: | |
Preview 8:
* "Uncover embedded data..." now outputs all timestamps found within BPLists as a separate type of event.
* Some minor improvements.
* Most of the fixes of v21.6 SR-4. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Jan 26, 2026 - 12:28: | |
Beta 1:
* For more convenience, when starting off filling a skeleton image by taking a new snapshot of an already open volume/partition, a few sectors from the start of that volume/partition are now included as well to enable the recipient to identify the most common file systems. Note that you absolutely do not have to take a volume snapshot and thus transfer all essential file system data structures into the skeleton image. That could easily include a hundred thousand names of files and directories names, which may or may not be necessary or appropriate for your purpose. If you just need the contents and some metadata of certain files in an NTFS file system for example, you can specifically include the FILE records and contents of those files, without the entire $MFT, and thanks to the inclusion of sector 0 (the boot sector) X-Ways Forensics will know what the file system and the cluster size were, and can find the FILE records with a particular thorough file system data structure search in the skeleton image (quickly, thanks to the sparse nature of the image) and will therefore know the storage locations and names and timestamps etc. of those files in the volume.
* A small number of sectors are no longer included in skeleton images indirectly if they are only read for internal purposes (e.g. to identify and highlight slack space area).
* More pictures can now be identified as belonging to the "No device" class, which are known not to have been generated by optical devices like cameras or scanners, but purely by software.
* Some minor improvements.
* Same fix level as v21.6 SR-5. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Feb 2, 2026 - 10:56: | |
Beta 2:
* The password collection in Passwords.txt can now be tried to open BitLocker volumes (not possible in X-Ways Investigator) using multiple threads for much better performance.
* Informs the user if a fitting startup key for a BitLocker volume is found in a .BEK file in the case directory and names that file and its origin.
* The description of individual events can now be changed or set retroactively by the user, using the context menu. (Event descriptions are currently limited to 255 bytes in UTF-8.)
* Selected events from all selected evidence objects can now be included in the case report, near the end, in the order that was last defined in an event list, e.g. sorted by timestamps for a chronological timeline view. (Not in X-Ways Investigator.)
* For both search hits and events there are now two distinct menu commands to add items to the report and remove them. (For search hits there was previously only a single menu command that toggled that state.)
* A new option allows to assign a label to the direct parent object of a selected file, no matter whether it's a file or directory.
* If a file is destined to appear in the case report because it was assigned to a label that is includable in the report as a report table, that file is now marked with a special icon in its name cell, where also a yellow post-it icon appears if the file was commented on. The icon for the report is displayed in a fainter color if the label is not currently selected for output in the report options.
* Slightly revised look of the dialog window in which labels are managed.
* More robust processing of certain corrupt directory cluster chains in FAT file systems.
* X-Tension API: The XT_PREPARE_TARGETFILESWITHUNKNOWNDATA flag now forces XT_ProcessItem() and XT_ProcessItemEx() calls for files with unsupported encryption or compression.
* Some minor improvements.
* Some of the fixes of v21.6 SR-6. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Feb 4, 2026 - 12:41: | |
Beta 3:
* On BitLocker volumes that it can decrypt, X-Ways Forensics now tries to automatically detect unencrypted areas. Such areas can be present if only in-use drive space was encrypted and rewritten when the BitLocker volume was created, for example for performance reasons or because the security implications of this were not understood. If this situation is detected, X-Ways Forensics will recommend running your analyses also on the undecrypted volume, bypassing BitLocker decryption. For example a physical keyword search in the undecrypted sectors in addition to a logical search in the files found in the decrypted volume could be advisable.
* There is a new command in the context menu of an evidence object that is a BitLocker volume that X-Ways Forensics knows how to decrypt. That command allows to open such a volume without decrypting the data in any of its sectors, to see what data are actually, literally stored in them. In that state you could run physical searches or carve data automatically or manually. Not available in X-Ways Investigator.
* The file header signature search can now additionally and automatically perform a second run on the data directly as stored in a partition that is protected with BitLocker, bypassing the decryption algorithm. Either only if the presence of unencrypted areas was detected by X-Ways Forensics in the BitLocker volume (potentially just seconds before during the first, regular run of the file header signature search!) or, if fully checked, on any BitLocker volume that is processed in its decrypted form.
* X-Ways Forensics will specifically remember which files were carved (automatically or manually) while BitLocker decryption was bypassed so that those files in future can be read correctly even when BitLocker decryption is otherwise active. The Description column will identify such files. When working with the decrypted BitLocker volume, switching between Volume/Partition and File mode for such files will show the obvious difference between the data that are either passed through the decryption algorithm in the former modes (falsely, because it was never encrypted in the first place) or not in File mode.
* When creating a skeleton image, the contents of small files that are stored within the $MFT system file can now be automatically excluded from the acquisition when X-Ways Forensics reads $MFT to take a volume snapshot. This may seem like a natural choice since ordinary (larger) files are by default not included in the target image either unless you specifically include them. However, this involves redacting data within certain sectors and as such alters the hash value of the affected sector range in the target image compared to the source volume. As a compromise, if hashing is active, a second hash value for the redacted data is included in the .log file, and that second hash value is the one that is re-computed when you have X-Ways Forensics verify the integrity of a skeleton image created with this new option. Resident main file contents and resident alternative data streams that share the same FILE record as storage space are excluded or included together. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Feb 9, 2026 - 17:02: | |
Beta 4:
* Self-extracting archives in the form of Windows PE .exe files (if they are identified as type "sfx") are now treated as general-purpose archives and are thus explored along with ordinary archives like Zip, RAR, and 7z. The PE section that contains data that can be interpreted as an embedded Zip or RAR archive is then usually identified and processed as such.
* Files in certain corrupt/incomplete archives can now be opened with 0 bytes instead of not at all. That also means that the API function XT_ProcessItemEx() can now receive calls for such files with (useless) handles.
* Some icons in the user interface were revised, for the simultaneous search, copying extracted text, skeleton imaging and running external programs.
* Some minor improvements.
* Same fix level as v21.6 SR-6. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Feb 13, 2026 - 7:17: | |
Beta 5:
* Adding selected files to a skeleton image will now usually copy those files without slack space, i.e. trigger sector I/O only for the logical file size.
* After taking a volume snapshot of the subject volume that is being acquired as a skeleton image, which includes the essential file system data structures required to locate all file contents, the user is now offered to revert to idle mode so that any subsequent random read operations do not trigger acquisitions any more and the user can freely click around and navigate in the directory browser and will only specifically add file contents to the skeleton image using the dedicated command in the directory browser context menu.
* Some minor improvements.
* The program help was updated for v21.7. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Feb 17, 2026 - 15:11: | |
v21.7 was just released! |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Feb 18, 2026 - 17:56: | |
SR-1:
* Fixed an exception error that could occur when applying OCR to certain PDF documents. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Mar 2, 2026 - 19:13: | |
Also new in v21.7:
A new entry called "media design" in the Summary table in Details mode for several picture file types is meant to aid the assessment of a picture's aspect ratio. The aspect ratio appears in the summary table entry for the picture size (or before v21.8 alternatively sensor size or paper size). There are about 128 aspect ratios that represent a statistically significant variant. All other aspect ratios are labeled "Random". Particularly common aspect ratios, like e.g. 4:3, which are used by camera sensors, are labeled "Native". The group of "Framed" media designs are further distinguished as "Framed", "Square", "Scaled", "Social media" or "Featured". The latter refers to the "Open Graph" standard introduced by Google, which identifies pictures that are meant to represent a website as a whole. Media design information can be used to assess the overall consistency: A picture with a processing state labeled "Original" should always have a media design labeled "Native". A modified picture would expect a "Framed" variety, while "Featured" or "Social media" correlates with the processing state of "Disseminated". If no other tangible context exists, the media design could still be used for a general assessment. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Mar 20, 2026 - 14:33: | |
SR-2:
* Fixed an exception error that could occur when applying OCR to certain PDF documents.
* Fixed a memory allocation error that could occur when reaching around 358 million items in a volume snapshot.
* Fixed inability to recognize a FAT file system as such if it consists of less than 100 sectors in total.
* The option to skip and omit data in free clusters when creating an image was ignored when active in the .cfg file and when imaging was triggered from the command line. That was changed.
* Fixed inability of v21.6 SR-4 and later to extract e-mails from small MBOX e-mail archives.
* Improved simultaneous compatibility with v8.5.4 and v8.5.7 of the viewer component.
* Improved compatibility of "File Type Signatures Search.txt" with editing in MS Excel.
* Several minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, Apr 9, 2026 - 17:06: | |
SR-3:
* Ability to import extracted text from evidence file containers, which can be included in evidence file containers in v21.8 and later.
* Fixed an exception error that could occur when parsing the report.xml file in some UFDR archives.
* Support for overlong UNC (network) paths for progress notifications as files.
* v21.7 did not present the dongle management dialog window in some situations when needed at startup. That was fixed.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, May 17, 2026 - 13:02: | |
SR-4:
* The Exif table in Details mode was not present for HEIC files since v21.6. That was fixed. The fix is has also been applied to v21.6 SR-8.
* Content created timestamps from HEIC files were not translated correctly to local time. That was fixed.
* Improved size detection of QuickTime video files with an mvhd atom. This change is also available in v21.6 SR-8.
* Fixed an instability associated with the parsing of certain PList files.
* Fixed a division by zero error in v21.7 when processing certain video files.
* X-Tensions API: The functions XWF_GetReportTableAssocs() and XWF_AddToReportTable() got new names: XWF_Label() and XWF_GetLabels(). These functions can still be called by their old names for compatibility purposes, but the old names are now deprecated.
* Some minor improvements. |